Just like on mobile phones, the fingerprint has become a very fast, comfortable and simple option to log in to the PC. Since Windows 1o, the operating system has a tool, called Windows Hello, that simplifies the login as much as possible, allowing you to use facial recognition, fingerprint, a PIN, etc. However, this security measure may not be as secure as it should be.
A couple of days ago, a group of security researchers from Blackwing Intelligence reported a series of very serious security flaws in the three most common fingerprint readers on the market. There are many affected models, but one of the ones that has caught our attention the most has been the reader that is included in the Microsoft Surface Pro Type Cover itself, the 2-in-1 Tablet par excellence from Microsoft.
The sensors affected by these security flaws are of the MoC type, that is, Match on Chip. This type of sensors are characterized by using integrated microprocessors with which they verify authentication requests. It is the cheapest way to make a fingerprint reader, but it is also the most insecure, since it opens several avenues of attack for hackers.
To prevent these attack vectors, Microsoft created a secure connection protocol, SDCP, which ensures that the reader is trusted and not tampered with. However, researchers have discovered several techniques to evade security measures and spoof SDCP connections to rewrite the fingerprint database stored by others. They even discovered that one of the chips, ELAN, used by the Microsoft Surface Pro, did not even use the SDCP connection, but instead communicated over unencrypted USB.
What I can do?
Unfortunately, these security problems are not up to us. Therefore, there is not much we can do. It must be the manufacturers who, if they want to offer users the most secure connection possible, have to update the firmware of the reader chips, something that, to be honest, is difficult to happen.
Furthermore, depending on the nature of the fingerprint reader design (for example, in the case of the Surface), it will even be impossible to fix it without a hardware review.
Now, the security flaw exists, and it is real. But does it really affect us? The first thing we need to know is that it is a fairly complicated bug to exploit, so it is not available to everyone. It also requires physical access to the device (that is, it has been stolen), and also first evade other security layers, such as BitLocker, to be able to access the Windows Hello login window.
If we add to all of the above that these security flaws are not public, but have been detected by White Hat security researchers, it is difficult for them to end up in the hands of hackers. In any case, if you don’t trust the security of Windows Hello now, you can always disable the use of your fingerprint by logging in with a PIN, password, or whatever method you prefer.
